The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-Day Market

...
The Bazaar, the Maharaja’s
Ultimatum, and the
Shadow of the Future:
.
Extortion and Cooperation
in the Zero-day Market
.
Alfonso De Gregorio
.
Founder, BeeWise
..
PHDays V, Moscow, May 26th-27th, 2015

..
Discuss
.
/me @secYOUre
#0DayDilemma
#PHDays

..
Agenda
.
1. The Zero-day Market
A hairy business
2. Relevance
Should I care?
3. The Zero-day Dilemma
Extortion and Cooperation in the Zero-day Market
4. Recommendations to Zero-day traders
How to maximize the payoﬀ?

...
The Zero-day Market
.
1/112
TheZero-dayMarket

..
Inherent obstacles
.
The Zero-day Market
.
28/112
1. Time-sensitiveness of traded commodities
2. Trust
3. Price fairness
4. Possibility of defection

..
A hairy business
.
The Zero-day Market
.
29/112
..

..
The Legitimate Vulnerability Market
.
The Zero-day Market
.
30/112
..

..
Time-sensitive commodity
.
The Zero-day Market
.
31/112
..
. Valuable only when they are not
widely known
. Value drops to zero, as soon as the
vulnerability is disclosed or a
mitigation is released
. Transactions should complete in
short times
. Discretion required

...
Every day can be the last day for a 0-day sale

..
Trust
.
The Zero-day Market
.
33/112
..
. No centralized way to locate its
players
. Finding buyers and sellers is
time-consuming
. Unfamiliar business partners
. Hard to verify intentions

...
Oh, grandmother, what a horribly big mouth you have!

..
Lack of transparency and price fairness
.
The Zero-day Market
.
35/112
..
. Adoption levels of the vulnerable
component
. Presence within a given attack
surface
. Level of authentication required to
exploit it
. Diﬀiculty of independent
rediscovery
. Exploit reliability

..
Tension
.
The Zero-day Market
.
37/112
..
. Disclose and lose?
. Proving without disclosing
. Two approaches: reveal or
demonstrate
. Both undesirable

..
Reveal
.
The Zero-day Market
.
39/112
..
. Whoever moves first and lose your
asset
. Buyer steals the vulnerability, if the
seller reveals it before the sale
. Seller runs away with the money, if
the buyers pays in advance

..
Demonstrate
.
The Zero-day Market
.
40/112
..
. Whoever controls the computing
environment has an edge
. Does the seller tampers with the
computing environment?
. Does the buyer records the working
of the exploit and steal it?

...
Any vulnerability claim can’t be ensured

..
Exclusive rights to the buyer
.
The Zero-day Market
.
44/112
..
. Grant exclusive rights, to receive the
largest payoﬀs
. What if the seller defects, selling the same
zero-day to multiple parties?
. This time are the buyers to lack a mean to
protect themselves
. Forcing to return the funds?
. Diﬀiculty to identify sellers, to attribute
multiple transactions to the same
supplier, and to enforce contracts helps
the seller willing to betray

..
Proposed solutions
.
The Zero-day Market
.
46/112
. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a
buyer from defecting;

..
Proposed solutions
.
The Zero-day Market
.
46/112
. Resort to the use of trusted-third parties (e.g., escrow services), as crucial
entities for enabling cooperation of market participants;

..
Proposed solutions
.
The Zero-day Market
.
46/112
. Resort to the use of trusted-third parties (e.g., escrow services), as crucial
entities for enabling cooperation of market participants;
. Build a reputation system (e.g., reputation score) as an instrument to
establish trust relationships between distrustful players.

..
Motivating questions
.
The Zero-day Market
.
49/112
1. Can the zero-day market achieve cooperation and eﬀiciency even in
absence of trusted-third parties?

..
.
The Zero-day Market
.
49/112
2. Can punishment discourage the buyer from defecting?

..
.
The Zero-day Market
.
49/112
3. Under which conditions a player can extort the opponent?

..
.
The Zero-day Market
.
49/112
4. Can cooperation be sustained also in fully anonymous settings?

..
.
The Zero-day Market
.
49/112
4. Can cooperation be sustained also in fully anonymous settings?
5. What about semi-anonymous settings?

...
Which trading strategy to employ?

...
Relevance
.
51/112
Relevance

..
/me
.
Relevance
.
52/112
At the intersection of so ware security and security so ware,
exploring, and trying to contain, the space of unanticipated state.

..
Market failure
.
Relevance
.
53/112
...

..
Inability to self-correct
.
Relevance
.
54/112
..
. So ware manufacturers will not
forgo market shares
. So ware users will not forgo
features
. Attackers will not forgo attacking
tens of millions of vulnerable
systems

..
Inability to self-correct
.
Relevance
.
55/112
..

..
Should I care?
.
Relevance
.
56/112
1. More interconnected

..
Should I care?
.
Relevance
.
56/112
2. More interdependent

..
Should I care?
.
Relevance
.
56/112
3. Greater dynamic range of possible failure

..
Should I care?
.
Relevance
.
56/112
4. Vulnerability information is key to both oﬀensive and defensive purposes

..
Should I care?
.
Relevance
.
56/112
4. Vulnerability information is key to both oﬀensive and defensive purposes
5. Prominent role in modern-day intelligence, national security, and law
enforcement operations

..
Nation-state actors
.
Relevance
.
57/112
..

..
LEAs
.
Relevance
.
58/112
..

..
Vendors
.
Relevance
.
59/112
..

..
Where the results find application?
.
Relevance
.
60/112
..
. Over-the-counter zero-day trading

..
.
Relevance
.
60/112
..
. Boutique exploit providers oﬀering
zero-day vulnerabilities for a
subscription fee

..
.
Relevance
.
60/112
..
. Boutique exploit providers oﬀering
zero-day vulnerabilities for a
subscription fee
. Service models for vulnerability
research

...
The Zero-day Dilemma
.
61/112
TheZero-dayDilemma

...
The Maharaja’s Ultimatum

..
Ultimatum Game
.
.
65/112
..
. A game in economic experiments
. Proposer: receives a sum of money
and propose how to divide the sum
between himself and another
player
. Responder: chooses to either
accept or reject the proposal
. If he accepts, the money is split
according to the proposal
. If he rejects, neither player receives
any money

..
Prisoner’s Dilemma
.
.
66/112
..
. Two purely “rational” individuals might
not cooperate, even if it appears that it is
in their best interest to do so
. Two prisoners that commited a crime
. If they both do not confess, they get a low
punishment
. If they both confess, they get a more
severe punishment
. If one confesses and the other does not,
then the one that confesses gets a very low
punishment and the other gets a very
severe punishment

..
IPD
.
.
67/112
The Iterated Prisoner’s Dilemma (IPD) is a repeated game, where the PD is the
stage game. Agents play the PD game an indefinite number of times.

..
The 0-Day Dilemma
.
.
68/112
..

..
Submissive scenario
.
.
69/112
..
. Traders are playing the standard PD
. R > P implies that mutual
cooperation is superior to mutual
defection
. T > R and P > S imply that defection
is the dominant strategy for both
agents
. Or, defection is better than
cooperation for one player, no
matter how that player’s opponent
may play

..
Adaptive scenario
.
.
70/112
..
. Neither the buyer nor the seller have a
dominant strategy, if we assume Z > S and
the U < R
. If the betryed seller has the ability to close
alternative deals for the same exploit (i.e.,
1-Day FUD, 1-Day private exploits), then
defection would not be a dominant
strategy anymore
. The market nature plays a role
. Today not a monopsony and weakly
regulated. Tomorrow rules and
regulations may emerge in this area (e.g.,
Wassenaar Arrangement) and may impact
the market liquidity

..
MAD scenario
.
.
71/112
..
. A variant of the standard PD, where the
seller has the ability to negate the buyer
the temptation to defect
. Just make sure T approaches P
. Hence, defection is not a dominant
strategy for the buyer
. If factors such as market liquidity,
export/trade regulations, mean-time to
close a deal prevent the Adaptive
retaliation approach from being
undertaken, then the seller should
consider disclosing publicly the exploit or
the vulnerability.

..
MAD scenario
.
.
72/112
..
. This would not make herself worse oﬀ
. The seller would reduce the buyer
incentives to defect in the first place

..
FD & Brinkmanship
.
.
73/112
..
. To this end, it is important for the
0-Day sellers to have an eﬀicient
mean for doing full-disclosure

..
FD & Brinkmanship
.
.
73/112
..
. Not for the sake of bragging rights
anymore, but for modern-day
brinkmanship

..
FD & Brinkmanship
.
.
73/112
..
. Not for the sake of bragging rights
anymore, but for modern-day
brinkmanship
. As faster the disclosure of the
vulnerability, as shorter the
window of opportunity to the
exploiter and the smaller the
Residual payoﬀ (V)

..
Fair share of troubles
.
.
74/112
..
. Since July 2002 the Full-Disclosure
list experienced a “fair share of
legal troubles along the way.”
. Posting on a mailing list may
transalte in an OPSEC failure, if the
anonymity of the submitter is not
protected

..
WhistleDay or ZeroLeaks
.
.
75/112
. A 0-Day disclosure platform
. Researchers could use it for full-disclosure
. Players in the Zero-day market could use to retaliate against buyers who
defect
. Insiders would turn to it to expose the secretive trade in intrusion and
surveillance technologies
. Dub it WhistleDay or ZeroLeaks, if you like

..
Cooperation is possible
.
.
76/112
. As long as the seller doesn’t play in the Submissive scenario, the buyer is
not better oﬀ defecting

..
.
.
76/112
. In the one-shot sequential 0-Day Dilemma cooperation is possible

..
.
.
76/112
. If this is not the case, the rational outcome is the action profile of mutual
defection

..
.
.
76/112
defection
. “We have to distrust each other. It’s our only defense against betrayal.” —
Tennessee Williams

..
.
.
76/112
defection
. “We have to distrust each other. It’s our only defense against betrayal.” —
Tennessee Williams
. “The dilemma then is that mutual cooperation yields a better outcome than
mutual defection but it is not the rational outcome because the choice to
cooperate, at the individual level, is not rational from a self-interested point
of view.”

..
Cooperation as an Equilibrium
.
.
77/112
If no form of punishment can be
undertaken by the seller, can the
cooperative outcome still be sustained
as an equilibrium?

..
Iterated 0-Day Dilemma
.
.
78/112
. The Iterated 0-Day Dilemma (I0DD) is a repeated game, where the 0-Day
Dilemma is the stage game. Agents play the 0-Day Dilemma game an
indefinite number of times

..
Iterated 0-Day Dilemma
.
.
78/112
. . The Iterated 0-Day Dilemma (I0DD) is a repeated game, where the 0-Day
Dilemma is the stage game. Agents play the 0-Day Dilemma game an
indefinite number of times
Remark: Whenever the Submissive scenario applies, the I0DD reduces to
the Iterated Prisoner’s Dilemma

..
Three settings
.
.
79/112
. ..
. Onymous: The traders know the
identity of the party they are
dealing with

..
Three settings
.
.
79/112
..
dealing with
. Anonymous: Trades takes place
among strangers

..
Three settings
.
.
79/112
..
dealing with
. Anonymous: Trades takes place
among strangers
. Semi-anonymous: Either the buyer
or the seller is anonymous

..
Cooperation is possible in onymous economies
.
.
80/112
..
Aumann, Robert (1959). “Acceptable points
in general cooperative n-person games”. In
Luce, R. D.; Tucker, A. W. Contributions to
the Theory 23 of Games IV. Annals of
Mathematics Study 40. Princeton NJ:
Princeton University Press. pp. 287–324.
MR 0104521.

..
William Press and Freeman Dyson
.
.
81/112
...

..
Sentient Player
.
.
82/112
..
. Power granted to a sentient player
. A player with a theory of mind
. Who realize that her behavior can
influence her opponents’ strategies

..
Zero Determinant (ZD) Strategies
.
.
83/112
...

..
Extortion
.
.
84/112
..
If one trader is aware of ZD strategies, but
the opponent is an evoutionary player then
the former can choose to extort the latter

..
Evolutionary players
.
.
85/112
..
A player is said to be evolutionary is she
posses no theory of mind and instead
simply seeks to adjust her strategy to
maximize her own score in response to
whatever the adversary is doing

..
Extortion strategies
.
.
86/112
. Grant a disproportionate number of high payoﬀs to the extortionist
. It is the victim’s best interest to cooperate with the extortionist, because she
is able to increase her score by doing so
. In so doing, she ends up increasing the extortionist’s score even more than
her own
. She will never catch up to the extortionist, and she will accede to her
extortionist because it pays her to do so

..
An extortionist relation
.
.
87/112
Sx − P = 3(Sy − P)

..
Extortionist strategy: Example
.
.
88/112
..
. Let R = 3, T = 5, P = 1, S = 0
. Let the desired payoﬀ relation be
Sx − P = 3(Sy − P)
. If we both cooperated last time, then I
cooperate with probability 11/13
. If I cheated you last time (you cooperated
and I defected), then I cooperate with
probability 7/26
. If you cheated me last time (I cooperated
and you defected), then I cooperate with
probability 1/2
. If we both defected last time, I defect
. On average over the long run, my score
minus one will be thrice your score minus
one

..
Press and Dyson
.
.
89/112
..

..
IPD == Ultimatum Game
.
.
90/112
..
If both players are sentient, but only one is
aware of ZD-Strategies, then the IPD
reduces to the Ultimatum Game

..
IPD == Ultimatum Game
.
.
91/112
..
. Let’s suppose both players are sentient
. Let’s suppose the buyer only knows about
ZD-strategies
. The buyer tries to extort the seller
. The seller eventually notice
. The seller decide to sabotage the scores of
both
. This is an Ultimatum Game. The buyer
proposes an unfair ultimatum. And the
seller respond.

..
Generous ZD-Strategies
.
.
92/112
..
. If both players are sentient and witting of
ZD-Strategies, then they can agree on
playing a Generous ZD-Strategy

..
.
.
92/112
..
. In fact any tentative to extort the opponent
would result in a low payoﬀ for both

..
.
.
92/112
..
. It is rational to agree on a fair cooperation
strategy

..
.
.
92/112
..
strategy
. They agree to unilaterally set the other’s
score to an agreed value (presumably the
maximum possible)

..
.
.
92/112
..
strategy
maximum possible)
. Neither player can then improve her score
by violating the strategy

..
.
.
92/112
..
strategy
maximum possible)
. Neither player can then improve her score
by violating the strategy
. Each is punished for any purely malicious
violation

..
A generous relation
.
.
93/112
Sx − R = 2(Sy − R)

..
Generous ZD-strategy: Example
.
.
94/112
..
. Let R = 3, T = 5, P = 1, S = 0
. Let the desired payoﬀ relation be
Sx − R = 2(Sy − R)
. If we both cooperated last time, then I
cooperate
. If I cheated you last time (you cooperated
and I defected), then I cooperate with
probability 8/10
. If you cheated me last time (I cooperated
and you defected), then I cooperate with
probability 3/10
. If we both defected last time, I cooperate
with probability 2/10
. On average over the long run, my score
minus three will be twice your score minus
three

..
Under the assumption...
.
.
95/112
..
. Ascribe past actions to the same
market participants
. Choose strategies according to the
outcome of past interactions

..
Anonymous Black Market
.
.
96/112
..
. Is cooperation possible in
anonymous zero-day markets?

..
.
.
96/112
..
. Do you believe it is?

..
.
.
96/112
..
. Do you believe it is?
. If yes, which institutions for
monitoring and enforcement
promote cooperation in this
setting?

..
Cooperation among Strangers
.
.
97/112
..

..
Anonymous Economies: Camera and Casari 1
.
.
98/112
..
. Cooperation is high and increases
with experience

..
.
.
98/112
..
with experience
. Low degree of cooperation when
subject see aggregate outcomes
without observing identities (e.g.,
as might result from discussing
trading experiences in anonymous
fora)

..
.
.
98/112
..
with experience
. Low degree of cooperation when
subject see aggregate outcomes
without observing identities (e.g.,
as might result from discussing
trading experiences in anonymous
fora)
. Costly personal punishment
significantly promotes cooperation

..
.
.
99/112
..
. Subject were given the possibility
to observe actions and outcomes in
their game and to inflict, at a cost, a
loss in the earnings of the defecting
opponent

..
.
.
99/112
..
opponent
. Camera and Casari added a second
stage in the one-shot game

..
.
.
99/112
..
opponent
. Camera and Casari added a second
stage in the one-shot game
. The retaliation stage resembles in
full the Adaptive and MAD
scenarios in the 0-Day Dilemma

..
.
.
100/112
..
. The player who obseverd the
opponent defect sometimes
employed personal punishment
(i.e., in-match retaliation), while
staying in cooperative mode in the
following periods

..
.
.
100/112
..
following periods
. Players show preference for
in-match retaliation over the
(equilibrium) informal retaliation

..
.
.
100/112
..
following periods
. Players show preference for
in-match retaliation over the
(equilibrium) informal retaliation
. Eﬀiciency: defectors who had been
punished by a cooperator were
more likely to cooperate in the
following periods (34.5% vs 24.1%)

..
Punishment as a Public Good
.
.
101/112
..
. It significantly increases
cooperation

..
Punishment as a Public Good
.
.
101/112
..
. It significantly increases
cooperation
. The subject that benefit the most
are cooperator who punish little or
not at all

..
Semi-anonymous Zero-day markets
.
.
102/112
..
. If only one party is anonymous, the
onymous counterpart has not ability to
know if she already had any deals with the
same participant

..
.
.
102/112
..
same participant
. The latter can’t benefit from being sentient
and is forced to choose her strategies as an
evolutionary player would do

..
.
.
102/112
..
same participant
. If the anonymous party knows about the
ZD-strategies, she can choose to extort the
opponent

..
.
.
102/112
..
same participant
. If the anonymous party knows about the
ZD-strategies, she can choose to extort the
opponent
. Hence, while cooperation can emerge in
fully-anonymous markets, extortion can
profilate in the semi-anonymous
economies

..
To sum up
.
.
103/112
. Zero-day markets can achieve cooperation even in absence of trusted-third
parties

..
To sum up
.
.
103/112
parties
. Cooperation can be sustained even when traders are anonymous

..
To sum up
.
.
103/112
parties
. Punishment is an eﬀective instrument to discourage traders from defecting

..
To sum up
.
.
103/112
parties
. Punishment is an eﬀective instrument to discourage traders from defecting
. It is possible to get extorted, if the adversary knows about ZD-Strategies
and we simply seek to adjust our strategy to maximize our own profit

...
Recommendations
.
104/112
Recommendations

..
Recommendations
.
Recommendations
.
105/112
1. Do not deal with anonymous traders, if you cannot ensure your own
anonymity

..
Recommendations
.
Recommendations
.
105/112
anonymity
2. Discourage defection by practicing brinkmanship or casting the shadow of
the future in every decision of your counterpart

..
Recommendations
.
Recommendations
.
105/112
anonymity
3. Respond: Consider punishing defection to promote cooperation

..
Recommendations
.
Recommendations
.
105/112
anonymity
4. Let the seller supply the vulnerability first, if interested in a one-time deal

..
Recommendations
.
Recommendations
.
105/112
anonymity
5. Learn about Zero Determinant strategies, if playing in an onymous market

..
Recommendations
.
Recommendations
.
105/112
anonymity
5. Learn about Zero Determinant strategies, if playing in an onymous market
6. Grim trigger: forever defect, if you see defection while playing in an
anonymous market and have no ability to punish the opponent

..
Experimental verification
.
Recommendations
.
106/112
If interested, please be in touch

..
Spring 2015: Speaking Dates
.
Recommendations
.
107/112
. May 26th, PHDays V, Moscow, Russian Federation
. May 28th, HITBSecConf 2015, Amsterdam, Netherlands
. June 4th, AusCERT 2015, Gold Coast, Australia

..
“
Though I am o en in the depths of misery, there is still calmness, pure harmony
and music inside me.
Vincent van Gogh..
”

..
“
Though we are o en in the depths of insecurity, there is still calmness, pure
harmony and music inside us. ..
”

..
BeeWise
.
Backup
.
114/112
..
. BeeWise is the first prediction market for
forecasting security events and trends
. More specifically, it is a security-event
futures exchange where participants trade
contracts whose payoﬀs are tied to future
events in information security, such as the
discovery of a given so ware vulnerability,
a security incident, or the diﬀusion of new
malware

..
BeeWise
.
Backup
.
114/112
..
. With a large enough number of people
betting on the outcome of selected events,
the prices of the contracts will be an
approximate measure of the probability of
the underlying events at any time. The
ability to use market prices as
forward-looking indicators of security
properties will help in establishing
information symmetry between buyers
and sellers (ie., build a quality signal), and
help security stakeholders to make better
and more informed decisions, by telling
mediocre security products from good
ones

The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-Day Market

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (11)

Similar to The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-Day Market

Similar to The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-Day Market (20)

Recently uploaded

Recently uploaded (20)

The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion and Cooperation in the Zero-Day Market